Can PIPEDA protect you against discarded sensitive data?
One man’s garbage is another’s treasure! This phrase appropriately fits in today’s era, where criminals dig into the trash to seek and retrieve bank and credit card statements, expired credit cards, account statements, cancelled cheques, or any other form of financial documents. The search carried out in discarded material is called “dumpster diving”. Traditional dumpster diving has now evolved to carry out identity thefts and related frauds.
With businesses having voluminous data of their customers, mishandling of even one document can lead to catastrophic consequences. Are companies taking proper measures to tackle the disposal of personal sensitive information? Are PIPEDA provisions protecting individuals against dumpster diving?
Dumpster Diving – is it legal in Canada?
In Canada, dumpster diving is not illegal per se. The garbage in the public domain can be searched by any person. The Supreme Court of Canada in R v Patrick, 2009 SCC 17 that individuals do not have a reasonable expectation of privacy in their garbage. Therefore, dumpster diving can be conducted on trash if it is available in the public domain. However, offences such as identity theft are punishable under section 402.2 of the Criminal Code. Section 402.2 (2) of the code, makes any person who transmits, makes available, distributes, sells, or offers for sale another person’s identity information liable for imprisonment. Section 402.2 is reproduced hereinbelow for perusal and reference-
“402.2 (1) Every person commits an offence who obtains or possesses another person’s identity information with the intent to use it to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.
Trafficking in identity information
(2) Everyone commits an offence who transmits, makes available, distributes, sells, or offers for sale another person’s identity information, or has it in their possession for any of those purposes, knowing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.
Clarification
(3) For the purposes of subsections (1) and (2), an indictable offence referred to in either of those subsections includes an offence under any of the following sections:
o (a) section 57 (forgery of or uttering forged passport);
o (b) section 58 (fraudulent use of certificate of citizenship);
o (c) section 130 (personating peace officer);
o (d) section 131 (perjury);
o (e) section 342 (theft, forgery, etc., of credit card);
o (f) section 362 (false pretence or false statement);
o (g) section 366 (forgery);
o (h) section 368 (use, trafficking or possession of forged document);
o (i) section 380 (fraud); and
o (j) section 403 (identity fraud).
Jurisdiction
(4) An accused who is charged with an offence under subsection (1) or (2) may be tried and punished by any court having jurisdiction to try that offence in the place where the offence is alleged to have been committed or in the place where the accused is found, is arrested or is in custody. However, no proceeding in respect of the offence shall be commenced in a province without the consent of the Attorney General of that province if the offence is alleged to have been committed outside that province.
Punishment
(5) Everyone who commits an offence under subsection (1) or (2)
o (a) is guilty of an indictable offence and liable to imprisonment for a term of not more than five years; or
o (b) is guilty of an offence punishable on summary conviction.”
PIPEDA and Dumpster Diving
The Personal Information Protection and Electronic Documents Act (PIPEDA) lays down ten fair information principles for organizations i.e. accountability, identifying purposes, consent, limiting collection, Limiting Use, Disclosure, and Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance.
Principle five of PIPEDA i.e. Limiting Use, Disclosure, and Retention states that unless someone consents or unless it is required by law, the organization can keep personal information only till the purpose is served. The personal information must be disposed of once it doesn’t have a specific purpose or the intended purpose has been served. The disposal of personal information should be as privacy secured as possible. Methods of destruction such as shredding paper documents, disintegration, incineration, pulverizing, and melting can be used. The sensitivity of personal information needs to be taken into account to determine the best way to dispose of the information.
It is also mandated to effectively delete all personal information before disposing of any electronic devices such as computers, mobiles, and photocopiers. Further, the employees must be given proper training in handling personal information. The organizations are responsible for the complete and irreversible destruction of any discarded personal information so that it cannot be retrieved in any manner. In the process, all backup files and copies must be destroyed along with the originals. It is advisable to have a retention schedule and policy to facilitate the storage, supervision, and disposal of information.
Conclusion
PIPEDA makes it mandatory for organizations to handle, retain and destroy personal information responsibly. However, it is observed that once an identity theft occurs, it becomes challenging for the authorities to track the origin of the lapse. Also, since identity theft is a criminal offence, the privacy commissioner needs to coordinate with police officers for investigation purposes. Better collaborative strategies must be developed to save time and resources for these investigations. Lastly, a monetary compensation scheme should be laid down for the victims of identity thefts. The organizations responsible for the lapse must be held accountable for the loss and must indemnify the victims.
The content of this post is intended to provide a general guide to the subject matter and express purely academic views of the author. Specialist legal advice should be sought about your specific circumstances.
picture credits: Abstract vector created by vectorjuice – www.freepik.com